b"   United States Department of Agriculture\n   Office of Inspector General\n\n\n\n\nAudit of the Office of the Chief Information\nOfficer's FYs 2010 and 2011 Funding Received\nfor Security Enhancements\n\n\n\n\n                                             Audit Report 88401-0001-12\n                                             August 2012\n\x0c                           United States Department of Agriculture\n                                  Office of Inspector General\n                                   Washington, D.C. 20250\n\n\nDATE:          August 2, 2012\n\nAUDIT\nNUMBER:        88401-0001-12\n\nTO:            Cheryl L. Cook\n               Acting, Chief Information Officer\n               Office of the Chief Information Officer\n\nATTN:          Denice Lotson\n               Acting Agency Audit Liaison\n\n\nFROM:          Gil H. Harden\n               Assistant Inspector General for Audit\n\nSUBJECT:       Audit of the Office of the Chief Information Officer\xe2\x80\x99s FYs 2010 and 2011\n               Funding Received for Security Enhancements\n\n\nThis report presents the results of the subject review. Your written response to the official draft\nis included at the end of this report. Excerpts of your June 21, 2012, response and the Office of\nthe Inspector General\xe2\x80\x99s (OIG) position are incorporated into the applicable sections of the report.\n\nWe accept management decision for Recommendation 1. Based on your response, we were\nunable to reach management decision on Recommendations 2, 3, and 4. Management decision\nfor these recommendations can be reached once you have provided the additional information\noutlined in the OIG Position section under each recommendation.\n\nIn accordance with Departmental Regulation 1720-1, please furnish a reply within 60 days\ndescribing the corrective actions taken or planned, and timeframes for implementing the\nrecommendations for which management decisions have not been reached. Please note that the\nregulation requires management decision to be reached on all recommendations within 6 months\nfrom report issuance, and final action to be taken within 1 year of each management decision to\nprevent being listed in the Department\xe2\x80\x99s annual Performance and Accountability Report. Please\nfollow your internal agency procedures in forwarding final action correspondence to the Office\nof the Chief Financial Officer.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during our\naudit fieldwork and subsequent discussions.\n\x0c\x0cTable of Contents\n\n\nExecutive Summary .................................................................................................1\nBackground and Objectives ....................................................................................3\nSection 1: Effectively Plan, Prioritize, and Manage Projects .............................5\n   Finding 1: OCIO Needs to Effectively Plan, Prioritize, and Manage its\n   Projects ..................................................................................................................5\n         Recommendation 1 ......................................................................................12\n         Recommendation 2 ......................................................................................13\n         Recommendation 3 ......................................................................................13\n   While OIG concurs with OCIO\xe2\x80\x99s proposed actions, in order to reach\n   management decision, OCIO needs to formalize this requirement in a policy\n   and procedure and provide estimated release dates. ......................................14\n         Recommendation 4 ......................................................................................14\nScope and Methodology.........................................................................................15\nAbbreviations .........................................................................................................16\nExhibit A: OCIO Projects Not in Budgetary Request to Congress ..................17\nAgency\xe2\x80\x99s Response .................................................................................................19\n\x0c\x0cOffice of the Chief Information Officer\xe2\x80\x99s FYs 2010 and 2011\nFunding Received for Security Enhancements\n\nExecutive Summary\n\nIn fiscal year (FY) 2010, Congress provided the Office of the Chief Information Officer (OCIO)\na $44 million increase to its baseline appropriations from approximately $18 million to\n$62 million for security enhancements within the Department of Agriculture (USDA). In\nFY 2011, OCIO received $22 million in additional security enhancement funding for a total\nappropriation of $40 million. These funds were intended to help OCIO improve USDA\xe2\x80\x99s\ninformation technology (IT) security posture.1 To accomplish this, OCIO selected 16 projects\nand, as of April 2, 2012, had expended $63.4 million on these projects. We initiated this audit to\ndetermine how OCIO utilized funding in FYs 2010 and 2011, primarily focusing on the increase\nfor security enhancements in OCIO\xe2\x80\x99s annual appropriation request.\n\nOver the last few years, OCIO has taken action towards improving security efforts at the\nDepartment, such as establishing the Agriculture Security Operations Center (ASOC) as an\nenterprise operational presence for OCIO\xe2\x80\x99s security activities. Prior to this, the only security\norganization at the Department-level was primarily focused on policy and compliance tracking.\nASOC now has Federal employees with the requisite skills that provide enterprise services in\nsecurity engineering, monitoring and analysis, incident handling, and security integration.\nWithin ASOC, the Department has deployed security management tools to monitor and protect\nnetwork traffic.\n\nWhile we acknowledge that OCIO has made progress in addressing USDA\xe2\x80\x99s security posture,\nthere is further need for improvement. Since 2009, we have noted that OCIO should prioritize its\nefforts to mitigate IT security weaknesses and accomplish a manageable number of the highest\npriority projects before proceeding to the next set of priorities.2 We continue to find that OCIO\xe2\x80\x99s\nefforts should have been strategically planned, prioritized, and managed in order to be more\neffective. First, we found that several of OCIO\xe2\x80\x99s projects did not meet the purposes outlined in\nthe Congressional request for funding or address the Department\xe2\x80\x99s most critical IT security\nconcerns.3 For example, OCIO funded an intern program for a total of $2 million which, while\nfunded as a security enhancement project, only resulted in one intern being hired full-time for\nASOC. In other instances, we found that OCIO exceeded proposed budgets for projects, or did\nnot allot sufficient funding to key security areas. Second, we found that some projects were not\ncompletely implemented. For example, we found that OCIO had only assigned two individuals\nto analyze 13.3 terabytes of security alert data per day, resulting in the analysis of approximately\n\n1\n  Security posture describes how well an organization has minimized security risks. It consists of technical and non-\ntechnical policies, procedures, and controls that are the result of the strategy an organization undertakes to minimize\nrisks.\n2\n  U.S. Department of Agriculture, Office of the Chief Information Officer, Federal Information Security\nManagement Act Report, FYs 2009-2011, 50501-0015-FM, (October 2009), 50501-0002-IT, (November 2010), and\n50501-0002-12 (November 2011).\n3\n  2010 USDA Budget Explanatory Notes for Committee on Appropriations, Office of the Chief Information Officer,\n(April 2009).\n\n                                                                           AUDIT REPORT 88401-0001-12                1\n\x0c10 security incidents a week.4 The actual number of weekly incidents is unknown and could\nvary each week. OCIO stated that regardless of the resources available, the amount of\ninformation gathered is so massive it would require a tremendous workforce to evaluate all\nincidents identified by the security sensor array.5 Lastly, other projects were not sufficiently\ncoordinated, which included projects with duplicate objectives. For example, OCIO spent\n$235,000 on a project that duplicated another project\xe2\x80\x99s objectives, and was subsequently\ncancelled. This occurred because OCIO did not adequately develop oversight mechanisms and\ninternal controls to plan projects, coordinate and communicate between projects, or determine\nhow it would effectively utilize its resources. Because these projects were not effectively\nplanned, coordinated, or managed, the Department\xe2\x80\x99s information systems are still at risk.\n\nRecommendation Summary\nOCIO should document the prioritization of projects Departmentwide, develop detailed internal\ncontrol procedures for project management, and strengthen communication and coordination\nbetween OCIO management, project managers, account managers, and contractors.\n\nAgency Response\n\nIn its written response dated June 21, 2012, OCIO concurred with the four recommendations in\nthis report. Excerpts from the response and OIG's position have been incorporated into the\nrelevant sections of the report. The written response is included in its entirety at the end of the\nreport.\n\nOIG Position\n\nWe accept OCIO's management decision for Recommendation 1. For Recommendations 2, 3,\nand 4, OCIO needs to specify actions to be taken and provide an estimated completion date for\nimplementation.\n\n\n\n\n4\n  A terabyte is defined as a unit of storage capacity equal to one trillion bytes. A byte is about one character (e.g., a\nletter or a number).\n5\n  The ASOC security sensor array is a comprehensive and cohesive integrated security solution comprised of a suite\nof security tools, which have been deployed at multiple locations across the country within the USDA\xe2\x80\x99s network and\nis the foundation for enterprise wide security monitoring, detection, and protection.\n\n2      AUDIT REPORT 88401-0001-12\n\x0cBackground and Objectives\n\nBackground\nThe Clinger-Cohen Act of 1996 required the establishment of a Chief Information Officer (CIO)\nfor each major Federal agency. The Act requires USDA to maximize the value of IT\nacquisitions to improve the efficiency and effectiveness of its programs. To meet the intent of\nthe law and to provide a Departmental focus for information resources management issues,\nUSDA established OCIO.6 The CIO serves as the primary advisor to the Secretary on IT issues.\nThe OCIO website states its \xe2\x80\x9cprimary responsibility is to supervise and coordinate within USDA\nthe design, acquisition, maintenance, use, and disposal of IT by USDA agencies, as well as\nmonitoring the performance of USDA's IT programs and activities.\xe2\x80\x9d 7\n\nOne of OCIO\xe2\x80\x99s primary responsibilities is to oversee the Department\xe2\x80\x99s IT systems and security\nefforts.8 Specifically, this includes:\n\n    \xc2\xb7   Periodic risk assessments that consider internal and external threats;\n    \xc2\xb7   Development and implementation of risk-based, cost-effective policies and procedures to\n        provide security protections for the Department\xe2\x80\x99s information;\n    \xc2\xb7   Training that covers security responsibilities for personnel;\n    \xc2\xb7   Periodic management testing and evaluation of the effectiveness of security policies,\n        procedures, controls, and techniques;\n    \xc2\xb7   Processes for identifying and remediating significant security deficiencies;\n    \xc2\xb7   Procedures for detecting, reporting, and responding to security incidents; and\n    \xc2\xb7   Annual program reviews by Department officials.\n\nTo evaluate IT security needs throughout the Department, OCIO created a 36-month plan and in\nMay 2009 organized a team, referred to as the Tiger Team, which identified the Department\xe2\x80\x99s\ntop security issues. The team consisted of 5 of USDA\xe2\x80\x99s 33 agencies and offices.9 The Tiger\nTeam identified almost 100 issues and a series of 37 solutions for those security issues, which\nwere intended to be the basis for implemented projects.\n\nIn April 2009, OCIO requested a $44 million increase to its baseline of $18 million for security\nenhancements within the Department, which it received for FY 2010.10 In FY 2011, OCIO\nreceived $22 million in additional funding, which was $22 million less than it anticipated. In\naddition, OCIO received an extra $27 million in FY 2012 above the FY 2009 baseline of\n\n\n\n6\n  Secretary\xe2\x80\x99s Memorandum 1030-30 (August 8, 1996).\n7\n  http://www.ocio.usda.gov/index.html.\n8\n  Public Law 107-347, e-Government Act, Title III FISMA.\n9\n  The five agencies consisted of OCIO, the Food and Nutrition Service, the Animal and Plant Health Inspection\nService, the Office of the Chief Financial Officer, and the Forest Service\xe2\x80\x94which constitutes a small portion of\nUSDA\xe2\x80\x99s total 33 agencies and offices.\n10\n   Public Law 111-81, Agriculture, Rural Development, Food and Drug Administration, and Related Agencies\nAppropriation Bill, 2010 (June 23, 2009).\n\n                                                                         AUDIT REPORT 88401-0001-12               3\n\x0c$18 million. These increased funds were intended to improve the Department\xe2\x80\x99s IT security by\nconducting network security assessments, procuring and deploying security tools, and\nestablishing the ASOC to monitor and protect USDA\xe2\x80\x99s systems. As of April 2, 2012, OCIO had\nexpended $63.4 million on security enhancements. OCIO selected 16 projects to enhance the\nDepartment\xe2\x80\x99s IT security. In FY 2010, OCIO chose to initiate all 16 projects simultaneously,\nexpecting a continuation of funding in future years. However, in April 2011, Congress\ndecreased OCIO\xe2\x80\x99s appropriation as part of the continuing resolution.11 This caused projects to\nbe severely scaled back and project timelines to be extended further into the future.\n\nObjectives\nThe objective of this audit was to determine how OCIO utilized funding in FYs 2010 and 2011,\nprimarily focusing on the increase for security enhancements requested by OCIO and the internal\ncontrols implemented to ensure the funds were expended in a manner to mitigate the risk of\nwaste and mismanagement.\n\n\n\n\n11\n     Public Law 112-10, Department of Defense and Full Year Continuing Appropriations Act 2011 (April 15, 2011).\n\n4        AUDIT REPORT 88401-0001-12\n\x0cSection 1: Effectively Plan, Prioritize, and Manage Projects\n\nFinding 1: OCIO Needs to Effectively Plan, Prioritize, and Manage its\nProjects\nWhile OCIO has made progress in addressing the Department\xe2\x80\x99s security needs, OCIO\xe2\x80\x99s efforts\nwould have been more effective if strategically planned, prioritized, and managed. Specifically,\nwe found that some of OCIO\xe2\x80\x99s projects did not meet the purposes outlined in the Congressional\nrequest for funding or were not targeted to improve the most critical IT security risks.12\nAdditionally, some of these projects were not completely implemented, and were not sufficiently\ncoordinated. This occurred because OCIO did not adequately plan projects and determine how it\nwould utilize both internal and external resources. Additionally, OCIO did not establish the\ninternal control procedures for project management necessary to track and monitor expenditures\nand project progress. Because these projects were not effectively managed, the Department\xe2\x80\x99s\ninformation systems are still at risk, even after expending $63.4 million of funding increases\nreceived in FY 2010 and 2011.13\n\nAccording to OCIO, in 2009, USDA networks were under constant attack and were targeted by\nan abundance of malicious activity, and USDA had no visibility into its own networks. The only\nmeans for the Department to become aware of these compromises was if the Department of\nHomeland Security, law enforcement, or other intelligence agencies informed OCIO of a\nproblem, which happened frequently. Since that time, OCIO has established ASOC. Prior to\nthis, the only security organization at the Department-level was primarily focused on policy and\ncompliance tracking. ASOC now has federal employees with the requisite skills that provide\nenterprise services in security engineering, monitoring and analysis, incident handling, and\nsecurity integration. Additionally, in FY 2011, ASOC stated that it responded to three times as\nmany incidents compared to FY 2010, indicating that USDA is evolving to a more mature and\nproactive stance regarding security monitoring and incident handling. Within ASOC, the\nDepartment has deployed security management tools to monitor and protect network traffic. Due\nto this increase of insight into USDA\xe2\x80\x99s network, ASOC has been able to detect a number of\nincidents and block malicious activity as it occurs.\n\nThe Department has also implemented the Tivoli Endpoint Manager, an inventory management\nsystem, on over 140,000 endpoint devices, such as desktops, laptops, and servers.14 This has\nallowed the Department to gather data and report to the agencies on a number of potential\nvulnerabilities in real-time and determine the risk presented by emerging threats. This reporting\neffort has resulted in improved ability to manage the numerous USDA endpoints at risk.\n\nWhile OCIO has made progress in addressing the Department\xe2\x80\x99s IT security weaknesses, there is\nroom for improvement. In FY 2009, we recommended that OCIO\xe2\x80\x99s efforts to mitigate material\n\n12\n   2010 USDA Budget Explanatory Notes for Committee on Appropriations, Office of the Chief Information\nOfficer, 111st Cong., 2nd sess. (April 2009).\n13\n   As of April 2, 2012, OCIO had expended $63.4 million for IT security enhancements.\n14\n   The Tivoli Endpoint Manager project established a Departmentwide inventory management system to report the\nstatus of all USDA devices.\n\n                                                                      AUDIT REPORT 88401-0001-12                5\n\x0cIT security weaknesses in the Department be prioritized, with defined goals and realistic\ntimeframes. We also recommended that OCIO accomplish a defined set of critical objectives\nprior to proceeding on to the next set of priorities.15 OCIO concurred with these\nrecommendations. However, when we did further audit work of OCIO\xe2\x80\x99s efforts in FY 2011, we\nnoted the same issues and once again recommended that USDA undertake a manageable number\nof its highest priority projects and show measureable progress towards the milestones for each\nactive project.16 As of April 2012, we have not achieved management decision on this\nrecommendation. OCIO has not sufficiently prioritized or managed its projects intended to\nreduce critical IT security weaknesses. Specifically, OCIO did not always 1) expend resources\nto sufficiently address the most critical IT security weaknesses, 2) fully implement projects, or 3)\nefficiently manage resources both collaboratively between projects and within individual\nprojects. Instead, OCIO initiated 16 projects simultaneously.\n\n        Expenditures Did Not Sufficiently Address Established, Critical IT Security Weaknesses\n        When requesting an increase in funding from Congress, OCIO proposed that these funds\n        would be used to bolster three IT security areas: Network Security Assessments, Security\n        Tools, and a Security Operations Center. For FY 2010, Congress specified that the\n        $44 million increase in funding should be used \xe2\x80\x9cto improve the Department\xe2\x80\x99s information\n        technology security by conducting network security assessments, procuring and\n        deploying security tools, and establishing the Agriculture Security Operations Center to\n        monitor and protect USDA\xe2\x80\x99s systems.\xe2\x80\x9d17 However, we found that when OCIO received\n        its funding increase for the proposed projects, it did not use the money exclusively for the\n        purposes outlined in its Congressional request or for projects addressing the\n        Department\xe2\x80\x99s most critical IT security concerns.\n\n        We found that OCIO did not always use the allocated money as requested to complete the\n        most critical IT security projects. For example, in FY 2010, OCIO spent $4.7 million on\n        other projects, rather than on network security assessments, as proposed to Congress. As\n        a result, though OCIO stated to Congress that it would complete 11 network assessments\n        by FY 2010, we found that it only completed 8 by the end of that year.18 While providing\n        some benefits, the completed network security assessments, costing $2.7 million, did not\n        meet Federal guidelines.19 For example, OCIO\xe2\x80\x99s security assessment methodology did\n        not identify examination techniques for some monitoring network and device\n        communications, which may have left critical network vulnerabilities unaddressed. The\n        original reason for planning and conducting these network assessments was to identify,\n\n\n15\n   U.S. Department of Agriculture, Office of the Chief Information Officer, Fiscal Year 2009 Federal Information\nSecurity Management Act Report, Audit Report 50501-0015-FM (October 1, 2009).\n16\n   U.S. Department of Agriculture, Office of the Chief Information Officer, Fiscal Year 2011 Federal Information\nSecurity Management Act Report, Audit Report 50501-0002-12 (November 15, 2011).\n17\n   Public Law 111-81, Agriculture, Rural Development, Food and Drug Administration, and Related Agencies\nAppropriation Bill, 2010 (June 23, 2009).\n18\n   Report to Congress on the Status of Information Technology Security FY 2010 Program Activities through early\nFebruary 2010; Subcommittee on Agriculture, Rural Development, Food and Drug Administration, and Related\nAgencies (May 17, 2010).\n19\n   National Institute of Standards and Technology (NIST) Special Publication 800-115, Technical Guide to\nInformation Security Testing and Assessment (September 2008).\n\n6     AUDIT REPORT 88401-0001-12\n\x0c         track, and mitigate security weaknesses. In addition, though required by Office of\n         Management and Budget (OMB), none of the Department\xe2\x80\x99s agencies created Plans of\n         Action and Milestones (POA&Ms) for the vulnerabilities identified by the network\n         assessments because OCIO did not enforce compliance. 20\n\n         OCIO expended over $6.7 million in FYs 2010 and 2011 for three projects not proposed\n         to Congress (Exhibit A).21 For example, a two-year internship program, which cost\n         approximately $2 million, was initiated with these funds. This project is intended to\n         develop and sustain a highly skilled IT security and computer technology workforce.\n         Expenditures for FY 2010 and 2011 included over $686,000 for development and\n         implementation of a networking website and approximately $192,500 in housing costs for\n         two summers. While the intern program may be a beneficial step in the long-run, it did\n         little to further the more pressing objective of improving USDA\xe2\x80\x99s IT security. Focusing\n         resources on this project may have detracted from other, more pressing projects, such as\n         conducting network security assessments, that more directly addressed Congress\xe2\x80\x99 and the\n         Department\xe2\x80\x99s IT security priorities.\n\n         We found that the projects OCIO initiated did not always align with the priorities laid out\n         in OCIO\xe2\x80\x99s own initial planning efforts. Prior to receiving increased funding, OCIO\n         developed a 36-month plan and invited USDA agencies to provide input to develop\n         project initiatives based on the various needs of the Department. Referred to as the Tiger\n         Team, representatives from 5 of USDA\xe2\x80\x99s 33 agencies and offices developed a total of 37\n         solutions to IT security issues.22 While this should have been a key step to planning and\n         addressing assessed Departmental needs, we found that three of the Tiger Team\xe2\x80\x99s\n         highest-priority initiatives\xe2\x80\x94physical security, media sanitization and disposal, and\n         network firewalls\xe2\x80\x94were not addressed by the 16 selected projects.23\n\n         Projects Not Fully Implemented\n\n         With multiple, interconnected projects to manage, it is important that OCIO ensure that\n         projects are implemented with realistic and manageable timeframes. Without these\n\n20\n   OMB Memorandum 04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\nAct (August 23, 2004), requires agencies to prepare POA&Ms for all programs and systems where an IT security\nweakness has been found. POA&Ms identify tasks needing to be accomplished to assist agencies in assessing,\nprioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and\nsystems. A POA&M details resources required to accomplish the elements of the plan, milestones for meeting the\ntask, and scheduled completion dates for the milestones.\n21\n   Although we acknowledge that one of these projects, Certification and Accreditation, was initiated to remedy a\nprevious OIG recommendation, we have included it in this report, because it was not included as a security initiative\nby OCIO as a basis for increasing its funding in its request to Congress.\n22\n   The five agencies consisted of OCIO, the Food and Nutrition Service, the Animal and Plant Health Inspection\nService, the Office of the Chief Financial Officer, and the Forest Service\xe2\x80\x94which constitutes a small portion of\nUSDA\xe2\x80\x99s total 33 agencies and offices.\n23\n   The Tiger Team determined the highest priority initiatives by aggregating decision criteria such as mitigating risk,\nbusiness impact, and meeting regulatory requirements. Physical security refers to the controls that help protect\ncomputer facilities and resources from espionage, sabotage, damage, and theft. Media sanitization and disposal\nrefers to the disposal, clearing, purging, and destroying of media when no longer needed. Network firewalls allow\nor disallow communication to or from networks based upon rule sets determined by the agency.\n\n                                                                           AUDIT REPORT 88401-0001-12                7\n\x0c        measures, security enhancements may be outdated by the time projects are completed. In\n        December 2010, the U.S. Chief Information Officer explained that to prevent\n        implementing outdated technology and solutions, Federal IT programs must be structured\n        to deploy working business functionality in release cycles no longer than 12 months and,\n        ideally, less than 6 months, with initial deployment to end users no later than 18 months\n        after the program begins.24, 25 Additionally, to ensure that IT projects progress as\n        planned, the Clinger-Cohen Act of 1996 requires agency management to implement a\n        system of milestones for measuring IT project progress.26\n\n        However, we found that OCIO has initiated more projects than it can complete in a\n        reasonable timeframe. Of the 16 projects OCIO undertook to further USDA IT security\n        efforts, 7 projects were completed. Of these, 3 were pilot projects conducted to evaluate\n        potential software options for the Department, none of which were determined to be\n        viable. As of February 2012, 9 projects were still in progress for longer than the U.S.\n        Chief Information Officer\xe2\x80\x99s recommended 12-month implementation timeframe. OCIO\n        did not create milestones for eight projects, and critical projects have not been completed\n        because significant resources were redirected elsewhere.\n\n        These critical projects have not been as comprehensive as they were intended to be. For\n        example, in FY 2010, OCIO informed Congress that it would utilize $12.3 million to\n        establish ASOC, which was to \xe2\x80\x9ccoordinate continuous 24x7x365 security operations to\n        defend USDA information, assets, network and systems.\xe2\x80\x9d27 For FYs 2010 and 2011,\n        OCIO has expended over $18.7 million towards accomplishing this goal. OCIO\n        expended an additional $10.6 million for the security sensor array project, to \xe2\x80\x9cemploy\n        state of the art monitoring, incident response, threat analysis, and forensics\n        capabilities.\xe2\x80\x9d28\n\n        However, we found that while OCIO has tools in place for monitoring daily data, security\n        efforts are not as robust or comprehensive as they should be to support an effective\n        24x7x365 security operation. While the security sensor array gathers data for threat\n        analysis and forensics capabilities, this information is not fully analyzed, and has resulted\n        in security issues not being investigated. Though this stands as an immense and\n        important undertaking which OCIO has invested $29.3 million towards accomplishing,\n        ASOC has only assigned two individuals to work on data monitoring and analysis and it\n        only operates 11 hours a day, 5 days a week. OCIO stated that the resources required to\n        fully review, address, and resolve every event that the security sensor array identifies is\n        unknown due to the tremendous amount of data generated. We found that because OCIO\n        has not designated the necessary number of personnel, OCIO is only able to analyze and\n\n24\n   The U.S. Chief Information Officer position was established within the White House\xe2\x80\x99s OMB to provide\nleadership and oversight for IT spending throughout the Federal Government.\n25\n   25 Point Implementation Plan to Reform Federal Information Technology Management (December 9, 2010).\n26\n   Clinger-Cohen Act (January 1996).\n27\n   2010 USDA Budget Explanatory Notes for Committee on Appropriations, Office of the Chief Information Officer.\n24x7x365 is defined as 24 hours a day, 7 days a week, and 365 days a year.\n28\n   The ASOC security sensor array is a comprehensive and cohesive integrated security solution comprised of a suite\nof security tools, which have been deployed at multiple locations across the country within the USDA\xe2\x80\x99s network and\nis the foundation for enterprise-wide security monitoring, detection, and protection.\n\n8     AUDIT REPORT 88401-0001-12\n\x0c        process approximately 10 security incidents a week. This allows the vast majority of\n        incidents to go unanalyzed.\n\n        Additionally, OCIO was not adequately remediating identified weaknesses. First, we\n        found during our review that OCIO was not conducting vulnerability scans. 29 OCIO\n        stated that it did not have the licensing available to accomplish scanning. As of January\n        2012, ASOC has been performing vulnerability scans as recommended by OIG and\n        dictated by USDA policy. Second, OIG identified 77 of 333 software packages on the\n        security sensor array that had not received recommended security patches.30 These\n        patches safeguard against known security threats and are a necessary step for IT security.\n        Finally, as of February 2012, we found there were 1,309 critical and high unmitigated\n        vulnerabilities, of which 624 were over 30 days old and POA&Ms had not been created.31\n\n        We also found that projects were not as far along as they should have been. For example,\n        several projects have been partially implemented because of a sudden reduction in\n        contractor personnel. When OCIO received a total of $40 million for FY 2011,\n        $22 million less than what it anticipated, OCIO decided to reduce the number of\n        contractors working on key projects from 48 to 4. As a result of this abrupt,\n        unanticipated transition, progress on several projects was halted or delayed. For\n        example, two contractor-run projects, with a total cost of $4.7 million, were intended to\n        create and implement required risk management policy and procedures to ensure agency\n        compliance with Federal and Departmental regulations. 32 However, OCIO was not\n        efficiently monitoring the contractors\xe2\x80\x99 progress. Consequently, when budgetary cuts\n        came, and the contracts were terminated, OCIO was not aware of the contractors\xe2\x80\x99\n        progress and therefore was unable to fully utilize the work performed by the contractors.\n        This set OCIO back significantly, and OCIO was unable to meet Federal guidelines.\n        Additionally, when OCIO released the contractor assigned to a $2.9 million project,\n        OCIO found that it did not have access to the administrator functions\xe2\x80\x94which had been\n        maintained by the contractor. Although some functions were available, without access to\n        the administrator accounts OCIO was unable to provide critical Department-level\n        information.\n\n\n\n\n29\n   Vulnerability scanning is the process of searching the network and its devices, including servers, for known\nvulnerabilities. It is used to identify vulnerabilities that need to be remediated and also to verify that required\npatches have been applied. Patching is the process of applying software updates to remediate and prevent known\nvulnerabilities. Software vendors release patches periodically to fix known flaws and to upgrade the software.\n30\n   Vulnerability data were obtained for 3 of the 11 security sensor sites, which included the primary, backup, and\nmonitoring sites.\n31\n   The vulnerability scanning software ranks vulnerabilities on a severity scale of 1-10. The scanning software\nconsiders vulnerabilities ranked 4-10 as critical or high. The Department Plan of Action and Milestones\nManagement Standard Operating Procedure (June 29, 2011) requires that POA&Ms must identify the source of the\nvulnerability and be created within 30 days of vulnerability identification if not immediately resolved.\n32\n   Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle\nApproach, NIST Special Publication 800-37 (February 2010).\n\n                                                                         AUDIT REPORT 88401-0001-12              9\n\x0c         Project and Resources Were Not Efficiently Managed\n\n         With fluctuating budgets on multiple, high-priority projects, it is crucial that project\n         expenditures be carefully managed both collaboratively between projects and within\n         individual projects. Without careful management of resources and expenditures, OCIO\n         cannot ensure that funds are expended as originally intended for uses that would best\n         accomplish project goals. The Government Accountability Office (GAO) states that\n         effective stewardship of Federal funds depends upon the establishment of certain internal\n         controls meant to ensure that those funds are used in the most efficient manner to\n         maximize the impact of the funding received.33 Likewise, The USDA Management\n         Control Manual states that management controls are used to reasonably ensure that\n         projects and resources are protected from waste and mismanagement.34\n\n         However, we found that OCIO had not managed resources efficiently for some of its key\n         IT security projects. Specifically:\n\n         \xc2\xb7   In FYs 2010 and 2011, OCIO spent at least $1.8 million to acquire four tools for the\n             security sensor array project\xe2\x80\x94which are not currently used\xe2\x80\x94and subsequently spent\n             additional annual maintenance costs of approximately $1.2 million. In addition,\n             OCIO determined that one of these tools, costing approximately $425,000, could not\n             handle the amount of data that USDA\xe2\x80\x99s network generates. OCIO has maintained\n             this tool at a cost of approximately $81,000 annually but has not been able to utilize\n             it. As of December 2011, OCIO stated that it was determining the feasibility of using\n             the tool elsewhere.\n         \xc2\xb7   In FY 2010, OCIO spent $235,000 to research possible solutions for a project\n             intended to prevent data leakage outside of USDA networks.35 The project was\n             subsequently cancelled because its goals were redundant with another ongoing\n             project, the security sensor array.\n\n         With proper coordination within OCIO and improved communication between project\n         managers, these unnecessary costs could have been avoided. Careful planning and\n         coordination of expenditures is necessary to ensure projects and project costs are\n         optimized to accomplish IT security goals and reduce wasteful spending.\n\n         In other instances, OCIO did not appropriately track resources or expenditures. Guidance\n         from the Office of the Chief Financial Officer states that all direct costs, such as salary\n         and other benefits for employees working directly on projects and all goods and services\n         must be included in the full cost of projects.36 However, we found that 11 of 16 projects\n         did not have Federal salaries and benefits charged to them. One project charter\n         specifically instructed Federal employees to track their hours but not to charge them to\n         the project, even though Federal employees were working directly on the project, as\n         indicated by bonuses and travel expenses charged to this project. For another project,\n\n33\n   GAO, Standards for Internal Control in the Federal Government (November 1999).\n34\n   USDA Management Control Manual, Department Manual 1110-002 (November 29, 2002).\n35\n   Data leakage refers to the unauthorized transfer of information from a computer or datacenter to the outside world.\n36\n   Office of Chief Financial Officer, Agriculture Financial Standards Manual (May 2004).\n\n10      AUDIT REPORT 88401-0001-12\n\x0c        OCIO explained that full contract costs were not included in the project in order \xe2\x80\x9cto\n        maximize the ASOC security dollars.\xe2\x80\x9d\n\n        Without providing supporting documentation for accounting transactions, OCIO cannot\n        adequately oversee and manage its projects. OCIO assigned this responsibility to the\n        control account managers (CAMs), who were required to track, summarize, and report all\n        obligations and expenditures. We found that OCIO lacked oversight on several of its\n        projects. For example, expenditures for two projects exceeded obligations by\n        approximately $1.2 million. The two project CAMs could not adequately justify the\n        expenditure overages with supporting documentation. One of these projects also incurred\n        interest charges due to a late payment.\n\n        We also found that OCIO was not taking adequate steps to document and account for its\n        projects in order to ensure that it was providing adequate oversight. For instance, OCIO\n        could not provide OIG with 36 contracts that would explain specific contractor work,\n        deliverables, and costs. 37 When we asked how many project contracts there were in\n        total, OCIO was not able to provide a comprehensive list of all project contracts.\n\nThese issues occurred because OCIO had not established internal control procedures, such as\nmonitoring and oversight, for project management, and did not adequately plan its projects or\nhow it would utilize resources. When we looked at OCIO\xe2\x80\x99s internal controls for the 16 projects,\nwe noticed an overall lack of controls necessary to ensure timelines were met, and to ensure\nfunds and supporting documentation were appropriately tracked. Specifically, OCIO did not:\n\n        \xc2\xb7 provide an organizational structure to facilitate project oversight and timelines;\n        \xc2\xb7 have an overall project plan that considered risk factors that could impact completion of\n          the security projects\xe2\x80\x94such as budget reductions;\n        \xc2\xb7 implement appropriate policies, procedures, techniques, and control mechanisms to\n          ensure sufficient documentation and expense management; or\n        \xc2\xb7 put a system in place to identify and communicate information to decision makers, such\n          as regular project progress updates for on-going contracted work.\n\nWe also found that OCIO was not properly coordinating between projects in order to prevent\nduplicate project objectives. OCIO officials, CAMs, and contractors did not effectively\ncommunicate within projects in order to accurately track and monitor project progress, costs, and\nstatus.\n\nWhen we spoke to OCIO regarding the number of projects initiated, OCIO felt it could not have\nscaled down the number of simultaneous projects because IT systems are complex, and require\nmany components to come together. While we acknowledge that IT projects\xe2\x80\x94like many\nprojects\xe2\x80\x94are complex, initiating all plans simultaneously led to a thin distribution of resources\nand strained oversight capabilities. While these 16 projects may be beneficial to the\nDepartment\xe2\x80\x99s overall IT security efforts, it would have been more effective to implement a\n\n37\n  We use the term \xe2\x80\x9ccontracts\xe2\x80\x9d to refer to both agreements made with non-Federal vendors and with other Federal\nagencies.\n\n                                                                     AUDIT REPORT 88401-0001-12              11\n\x0cmanageable number of projects, allowing for complete implementation, monitoring, and\nplanning\xe2\x80\x94rather than a thinly distributed effort across multiple fronts.\n\nOCIO also explained that many projects were delayed due to administrative challenges, such as\nthe migration of accounting records to a new financial system. Although we acknowledge that\nmigrating to a new accounting system poses a significant challenge, OCIO is responsible for\nbeing able to account for money spent, and the new financial system is USDA\xe2\x80\x99s required system\nof record.\n\nAdditionally, OCIO stated that it did not receive funding until the second quarter of FY 2010,\nwhich resulted in officials needing to spend the funds in a shorter timeframe than anticipated.\nHowever, we determined that funding was actually apportioned in November 2009.38 We also\nfound the Tiger Team planning meeting took place in May 2009, prior to OCIO receiving the\nappropriation. With adequate planning, OCIO should have determined the best use of funds and\nhow to monitor expenditures, even with a shortened timeframe.\n\nWe acknowledge that OCIO has made progress in several key areas, including system security\ndocumentation; improving its identity and access management program; and completing a\ndeployment of a suite of network monitoring and detection tools, which should further enhance\nthe security of its networks. While OCIO has made progress in addressing the Department\xe2\x80\x99s IT\nsecurity needs, as stated in three previous audits, OCIO\xe2\x80\x99s efforts could have had more impact if\nprojects and resources had been better planned and effectively managed.39 Because they were\nnot, the Department is still at significant risk, even after the additional funding. Once USDA\ndeploys adequate resources to properly configure and completely monitor these tools, the\nDepartment\xe2\x80\x99s security posture should greatly improve.\n\nRecommendation 1\nDocument the prioritization of projects Departmentwide to ensure the most critical projects take\na higher precedence than other, non-critical projects.\n\nAgency Response\n\nOCIO concurs with this recommendation. On May 31, 2012, OCIO prioritized projects with the\nestablishment of Continuous Monitoring as its highest priority project for 2013. The second\nhighest priority project is the identification and development of program metrics and key\n\n\n\n38\n   According to OMB A-11.120.1, Preparation, Submission, and Execution of the Budget (August 2011), an\napportionment identifies the amounts available for obligation and expenditure. It specifies and limits the obligations\nthat may be incurred and expenditures made for specific time periods, programs, activities, projects, objects, or any\ncombination thereof.\n39\n   U.S. Department of Agriculture, Office of the Chief Information Officer, Federal Information Security\nManagement Act Report, FYs 2009-2011, 50501-0015-FM (October 2009), 50501-0002-IT (November 2010), and\n50501-0002-12 (November 2011).\n\n\n12      AUDIT REPORT 88401-0001-12\n\x0cperformance indicators. The third priority for OCIO in the coming year is the introduction and\neffective engagement of the agency security and operational personnel.\n\nOIG Position\n\nWe concur with the agency response for this recommendation and have reached management\ndecision.\n\nRecommendation 2\nDesignate sufficient resources to adequately configure and monitor the security sensor array in\norder to defend USDA\xe2\x80\x99s information system against external and internal threats.\n\nAgency Response\n\nOCIO stated it will provide planned accomplishments and timelines to designate a group of\nsecurity sensor array experts who will develop and provide instructions and hands-on training to\nagency IT personnel, and bring agency subject matter experts in to help OCIO better understand\nagency data and activities within 120 days of the date of this final report.\n\nOIG Position\n\nWhile OIG agrees this course of action will help to address this recommendation, in order to\nreach management decision, OCIO needs to finalize the plans and provide estimated completion\ndates for implementing these planned actions.\n\nRecommendation 3\nDevelop detailed internal control procedures for project management that include the\nrequirement to specify and document project milestones, accurately allocate and track project\ncosts, develop project timelines, and establish project-specific roles and responsibilities.\n\nAgency Response\n\nOCIO implemented internal control procedures for managing initiatives by implementing a\nmethodology for managing projects. As of FY 2010, OCIO required project managers to\nengage with the Portfolio and Project Management Branch of International Technology Services.\nOCIO will require all new projects to conform to the single artificial risk matrix model. These\nefforts have been supplemented with the ASOC contracted Project Management Office team to\ndevelop required project documentation that includes tailored project charters; defined roles and\nresponsibilities, project plans, work breakdown structures, and project schedules.\n\n\n\n\n                                                            AUDIT REPORT 88401-0001-12          13\n\x0cOIG Position\nWhile OIG concurs with OCIO\xe2\x80\x99s proposed actions, in order to reach management decision,\nOCIO needs to formalize this requirement in a policy and procedure and provide estimated\nrelease dates.\n\nRecommendation 4\nStrengthen communication and coordination between OCIO management, project managers\n(CAMs), and contractors, allowing the different parties to work collaboratively and effectively\n\nAgency Response\n\nOCIO has worked in collaboration with OCIO Program Management Office to manage the\nsecurity project portfolio. At a minimum, all project managers communicate project status,\nthrough project team reports to the CAM; and the CAM, in turn, reports to OCIO leadership and\nits project management branch.\n\nOIG Position\n\nIn order to reach management decision, OCIO needs to specify actions taken or that it plans to\ntake and provide actual or estimated completion dates for implementation.\n\n\n\n\n14     AUDIT REPORT 88401-0001-12\n\x0cScope and Methodology\nOur review analyzed the funding that OCIO received in FYs 2010 and 2011, primarily focusing\non the increased funding allocation for security enhancements. We compared the controls that\nOCIO had in place to plan, spend, and monitor this funding to GAO\xe2\x80\x99s Standards for Internal\nControl in the Federal Government.\n\nFieldwork for this audit was performed from March 2011 through January 2012 in\nWashington, D.C.; Kansas City, Missouri; and Denver and Fort Collins, Colorado.\n\nTo accomplish our audit objective, we performed the following procedures:\n\n     \xc2\xb7   Reviewed Office of Budget and Program Analysis (OBPA) and Congressional\n         documentation regarding the increased funding allocation for the security\n         enhancements.40\n     \xc2\xb7   Reviewed the methods and controls that OCIO put in place for implementing and\n         monitoring the security enhancement projects as per budgetary requirements (Public Law\n         111-80), OMB, OBPA, and the Federal Acquisition Regulation (FAR).\n     \xc2\xb7   Reviewed financial transactions recorded in OCIO's accounting system associated with\n         the FY 2010 and 2011 OCIO appropriations.41\n     \xc2\xb7   Selected a judgmental sample of contracts and transactions for analysis. The judgmental\n         sample was based upon the number and availability of contracts within each project.\n     \xc2\xb7   Tested a judgmental sample of contracts using FAR guidelines.42\n     \xc2\xb7   Reviewed and analyzed financial transaction documentation support including contracts,\n         statements of work, reimbursable agreements, and invoices.\n\nWe conducted this audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\n40\n   Documents included the Appropriations Acts of 2010, 2011, and 2012; House of Representatives Explanatory\nNotes, and documents provided by OCIO to the House Appropriation Subcommittee staff.\n41\n   We relied on information from the Financial Management Modernization Initiative system. This is the USDA\naccounting system of record and is reviewed by OIG in Department of Agriculture\xe2\x80\x99s Consolidated Financial\nStatements for Fiscal Years 2010 and 2009, 50401-70-FM (November 2010) and Department of Agriculture\xe2\x80\x99s\nConsolidated Financial Statements for Fiscal Years 2011 and 2010, 50401-0001-11 (November 2011).\n42\n   FAR Part 6.1-6.3, Fair and Open Competition; and Part 15.406-3, Documenting the Negotiation.\n\n                                                                    AUDIT REPORT 88401-0001-12                15\n\x0cAbbreviations\nASOC.......................... Agriculture Security Operations Center\nCAMs.......................... Control Account Managers\nCIO.............................. Chief Information Officer\nFAR............................. Federal Acquisition Regulation\nFY ............................... Fiscal Year\nGAO............................ Government Accountability Office\nIT................................. Information Technology\nNIST............................ National Institute of Standards and Technology\nOBPA.......................... Office of Budget and Program Analysis\nOCIO........................... Office of the Chief Information Officer\nOIG ............................. Office of Inspector General\nOMB ........................... Office of Management and Budget\nPOA&Ms .................... Plans of Action and Milestones\nUSDA.......................... Department of Agriculture\n\n\n\n\n16      AUDIT REPORT 88401-0001-12\n\x0cExhibit A: OCIO Projects Not in Budgetary Request to Congress\n  Project                                         FY 2010 & 2011 Expenditures\n  IT Intern Program                                       $2,013,396\n  Re-engineered Certification and Accreditation           $2,458,360\n  Governance, Risk and Compliance                         $2,249,998\n  Total                                                   $6,721,754\n\n\n\n\n                                                   AUDIT REPORT 88401-0001-12   17\n\x0c18   AUDIT REPORT 88401-0001-12\n\x0cAgency\xe2\x80\x99s Response\n\n\n\n\n                    USDA\xe2\x80\x99S\n   OFFICE OF THE CHIEF INFORMATION\n               OFFICER\xe2\x80\x99S\n         RESPONSE TO AUDIT REPORT\n\n\n\n\n                             AUDIT REPORT 88401-0001-12   19\n\x0c\x0cUnited States\nDepartment of\nAgriculture\n                                                                                                 June 21, 2012\nOffice of the Chief\nInformation Officer\n                      TO:                Gil H. Harden\n1400 Independence                        Assistant Inspector General for Audit\nAvenue S.W.\n\nWashington, DC        FROM:              Cheryl. L. Cook /s/\n20250                                    Acting, Chief Information Officer\n\n                      SUBJECT:           Request for Management Decision Concurrence on Recommendations 1-4\n                                         Office of Inspector General Audit # 88401-0001-12\n                                         \xe2\x80\x9cAudit of the Office of the Chief Information Officer\xe2\x80\x99s FYs 2010 and 2011\n                                         Funding Received for Security Enhancements\xe2\x80\x9d\n\n                      The Office of the Chief Information Officer (OCIO) is requesting Management Decision\n                      concurrence on recommendation(s) 1-4 of the subject audit. OCIO concurs with all 4\n                      recommendations. However, it is important to note that over the past year, OCIO has put in\n                      place processes and procedures as part of the ongoing maturity of the Agriculture Security\n                      Operations Center program that address the basis for the recommendations. These processes\n                      and procedures may not have been fully implemented at the outset of the audit.\n\n                      Recommendation 1 \xe2\x80\x93 Document the prioritization of projects Department-wide to ensure the\n                      most critical projects have a higher precedence than other, non-critical projects.\n\n                      OCIO concurs with this recommendation. OCIO/ Agriculture Security Operations Center\n                      (ASOC) has established rigorous procedures to focus on critical security concerns. ASOC\n                      will continue to work with OIG to ensure that the documentation of priorities is in an\n                      acceptable format. Securing our nation against cyber attacks has become one of the nation's\n                      highest priorities. As the organization charged with the responsibility for ensuring the\n                      Department\xe2\x80\x99s ability to support the national food supply chain, the agriculture economy,\n                      research and development, and an active loan portfolio of over $120 billion, we understand\n                      the challenges of securing this complex environment; as such, this urgent and compelling\n                      workload demands that we successfully manage multiple projects, risks, and emerging\n                      requirements on a daily basis. In response to this recommendation, on May 31, 2012, ASOC\n                      takes the establishment of Continuous Monitoring as its highest priority project for 2013. The\n                      biggest single issue facing ASOC, and USDA Enterprise Security as a whole, is the challenge\n                      of transforming security awareness through the automation of the risk and continuous\n                      assessment of the enterprise. Frequently referred to as Continuous Monitoring (CM), it is the\n                      challenge of taking the technology and processes that ASOC has built over the last two years\n                      (including BigFix\xe2\x84\xa2, the Security Sensor Array, Opnet\xe2\x84\xa2, and the ASOC monitoring,\n                      analysis, and forensics programs), weaving in the data and activities of OCIO and agency\n                      operational IT programs, and producing timely and actionable intelligence on the state of the\n                      enterprise and the prioritized issues requiring attention. Critical to determining the success of\n                      this effort will be the early agreement with OIG on how a nascent CM program will be\n                      measured and evaluated. Emerging guidance from the Office of Management and Budget, the\n                      Department of Homeland Security, and the National Institute of Standards and Technologies\n                      are all clear that there is no boilerplate approach to CM; each agency must determine what\n                      controls and processes can be adapted, and how that adaption can best be assessed. The\n                      ASOC efforts toward CM will be focused on continuous vulnerability assessment, which\n                      should be understood to be an activity set different from CM for continuous authorization,\n\n                      AN EQUAL OPPORTUNITY EMPLOYER\n\x0cwhich is targeted to replace manual Certification and Accreditation activities. The planned\nASOC activities are foundational for much of the Continuous Authorization model as it is\ncurrently being developed in the federal community. ASOC will complete the rollout of the\nEnterprise Vulnerability Scanner as a critical component of the continuous monitoring model.\nWithin 120 days of this final report, ASOC will provide planned accomplishments and\ntimelines regarding continuous monitoring.\n\n A second high priority project for ASOC, identified on May 31, 2012, in conjunction with the\nCM activity, is the identification and development of program metrics and key performance\nindicators. Effective program management requires both the bottom-up (from the CM\nfunctions) and a top-down approach. The latter will be achieved through a cross-OCIO\nmanagement effort that will identify and measure critical interdependencies, and the portion\nof those elements that can be met from ASOC data resources. We anticipate that developing\nuseful metrics and KPI\xe2\x80\x99s will be an evolutionary process. ASOC recognizes the need to\ncontinuously improve them, based upon OIG and the Agency feedback, in order to shift focus\nin response to the evolving nature of cyber security threats. Within 120 days of this final\nreport, ASOC will provide planned accomplishments and timelines regarding program metrics\nand key performance indicators.\n\nThe third priority for ASOC in the coming year (identified on May 31, 2012) is the\nintroduction and effective engagement of the agency security and operational personnel.\nIncident Response is hampered when the parties engaged do not understand each other\xe2\x80\x99s\nmethods, or the underlying data upon which the incident is predicated. Further, ASOC is\nhampered by the reduction in resources available to review and analyze the data being made\navailable by the Security Sensor Array (SSA). By training agency personnel on ASOC tools\nand methods, and then extending connectivity to the SSA in a secure manner to those same\nagency personnel, ASOC can double or treble the number of simultaneous analysis sessions\nbeing performed. The agency personnel will also bring their subject matter expertise\nregarding agency data and activities to the ASOC, allowing the SSA tools to be further\nenhanced and tuned for more accurate monitoring. In addition, ASOC will continue leverage\nits investment in the SSA by developing and publishing agency-specific status reports in order\nto help agency CIOs and system owners improve their security posture. Within 120 days of\nthis final report, ASOC will provide planned accomplishments and timelines regarding the\nintroduction and effective engagement of agency security and operational personnel.\n\nRecommendation 2 \xe2\x80\x93 Designate sufficient resources to adequately configure and monitor the\nsecurity sensor array in order to defend USDA\xe2\x80\x99s information system against external and\ninternal threats.\n\nOCIO concurs with this recommendation. The architecture design of the security sensor array\nprovides a means for granular control of ASOC infrastructure at the point of presence (POP);\nand includes the ability to work closer to infected workstations as well as detect lateral POP\nattack/infection. Information Security subject matter experts across the enterprise are being\ntrained to make use of the enhanced awareness provided by the security sensor array.\n\nWith the implementation of the Security Stack Array (SSA) in April 2011, OCIO has been\nable to shift the USDA posture in security cyber threat operations from a reactive to proactive\nstate. The array has greatly reduced the amount of data exfiltrated (stolen) from USDA. We\nhave been and will continue to fine tune the tool\xe2\x80\x99s capabilities, reduce false positives, and\ntrain the supporting technical staff on the administration and usage of all the tool capabilities\nso that the tools can be used in a fully functional operational environment. Additionally,\nOCIO quickly recognized that the volume of potential security events that the Security Stack\nArray was identifying on a daily basis was presenting an enormous challenge to manage and\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0cresearch in a timely manner. To address this, OCIO initiated effort to develop and tune\nautomated security rules and conditions to handle the volume of data. This effort was\ntemporarily impacted when the budget was reduced in April 2011.\n\nTo partially meet the budget challenge, we have realigned staffing to better utilize our\nresources, improve general IT hygiene, and concentrate on High Value Targets (HVT)\n(personnel, systems and endpoints). We are also developing a cadre of SSA expertise by\nproviding instruction and hands on training to agency IT personnel, bringing agency subject\nmatter experts in to help OCIO better understand agency data and activities. The goal is to\ncontinue to fine-tune the SSA through implementation of security rules and conditions to\nproactively identify true attacks and compromises, and greatly reduce the false positives.\nWithin 120 days of this final report, ASOC will provide planned accomplishments and\ntimelines regarding this effort.\n\nRecommendation 3 \xe2\x80\x93 Develop detailed internal control procedures for project management\nthat include the requirement to specify and document project milestones, accurately allocate\nand track project costs, develop project timelines, and establish project-specific roles and\nresponsibilities.\n\nOCIO concurs with this recommendation. OCIO has implemented internal control procedures\nfor managing ASOC Initiatives. The Portfolio and Project Management Branch (PPMB) of\nInternational Technology Services (ITS) was engaged at the onset of fiscal year 2010 to\nimplement a consistent methodology for managing projects. The ITS PPMB Portfolio and\nProject Management Procedural Guide established management policies, procedures, and\npractices governing the origination, initiation, planning, implementation and closeout of the\nportfolio management framework and the ITS 5D Solution Life Cycle (Discover, Define,\nDesign, Develop, and Deliver) stages of the Project Management Framework.\n\nASOC has established an internal management structure for project control adhering to the\nmethodologies established by the PPMB framework and following principles based upon the\nPMI Project Management Body of Knowledge (PMBOK). Roles and responsibilities are\ndefined in each project charter and identify each respective project stakeholder to their project\nfunction. Control Account Managers (CAMs), who are also OCIO program leaders, have been\nassigned delegated obligation authority to manage one or more control accounts, and are\ngiven the autonomy to assign the appropriate project resource levels to fulfill the expected\noutcomes. CAMs identify risks throughout each project\xe2\x80\x99s lifecycle and identify strategies to\nminimize the impact of risk occurrence. OCIO/ASOC also installed a team of certified\nProject Managers to serve as liaison to the CAMs, and each has been charged with ensuring\nthat the internal project framework is implemented and followed. Project performance is\nmeasured against the project baseline in terms of schedule, cost, scope and quality and project\nstatus information is communicated during OCIO bi-weekly meetings where OCIO leadership\nis able to make key project decisions and recommendations. A change management process\nhas been instituted to establish an orderly and effective procedure for tracking the submission,\ncoordination, review, evaluation, and approval for release of all changes to the project\xe2\x80\x99s\nbaselines. OCIO has also implemented several oversight mechanisms for detecting individual\nproject risk. The overall project objectives have been defined in the project charters, and are\nalso monitored via the bi-weekly CAMs meetings, and are supplemented with weekly senior\nexecutive reporting. Risks for each project are identified and addressed during the bi-weekly\nCAMS and/or senior executive reporting.\n\nIn addition, a project control environment has been provided by ITS support services which\nincluded cost accounting models, templates, common reporting forum (e.g., SharePoint).\nThese efforts have been supplemented with the ASOC contracted PMO team to develop\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0crequired project documentation that includes tailored project charters; defined roles and\nresponsibilities, project plans, work breakdown structure (WBS), and project schedules.\nOCIO/ASOC have implemented a cost control governance model based upon the industry\nstandard Project Managers Body of Knowledge (PMBOK), and with the assistance of\nOCIO/ITS, have developed and deployed one of the most sophisticated Cost Models ever\nattempted in FMMI. Continuous status and financial monitoring are an integral part of the\nASOC activities, and have included ensuring appropriate closeout activities after the\nunexpected funding cut.\n\nBecause projects are at various stages of their respective life cycle, ASOC, in the interest of\nefficiency, has not required all projects to restart and re-develop all project artifacts into a\nsingle artificial risk matrix model. However, individual project risk was managed as part of\noverall governance, and, going forward, all new projects will conform to the recommended\nsingle artificial risk matrix model.\n\nRecommendation 4 \xe2\x80\x93 Strengthen communication and coordination between OCIO\nmanagement, project managers (CAM), and contractors, allowing the different parties to work\ncollaboratively and effectively.\n\nOCIO concurs with this recommendation. ASOC has worked in collaboration with the Office\nof Chief Information Officer (OCIO) Program Management Office (PgMO) to manage the\nsecurity project portfolio. ASOC directs the management of all security initiatives and\nprojects, determines priorities, and governs the strategic decision-making. OCIO PgMO\ndirects the business practices that bring the world of projects into tight integration with USDA\nenterprise business operations. This combined leadership oversight affirms cross-agency\nand/or interoffice coordination of work efforts. Major components of the Project Portfolio\nManagement include:\n\n     \xc2\xb7    Management oversight and governance\n     \xc2\xb7    Budget management\n     \xc2\xb7    Acquisition management\n     \xc2\xb7    Risk management\n     \xc2\xb7    Stakeholder management\n     \xc2\xb7    Standards and best practices\n     \xc2\xb7    Strategic goals and objectives\n     \xc2\xb7    Performance criteria (metrics), and\n     \xc2\xb7    Enterprise reporting\n\nAt a minimum, all projects communicate project status, whereby each project team reports to\nthe CAM; and the CAM, in turn, reports to ASOC leadership and OCIO PgMO. Two typical\nforums for communicating status are through bi-weekly OCIO project status meetings and\nASOC project roadmap status reports. Each forum provides an opportunity for knowledge\nsharing and coordination amongst CAMs, ASOC leadership, and OCIO PgMO.\n\nOCIO always strives to provide multiple conduits for communication opportunities between\nOCIO Federal staff, contractors and assigned project managers. OCIO also meets weekly with\nthe project leads for all contracts. Within 120 days of this final report, ASOC will provide\nplanned accomplishments and timelines regarding this effort.\n\nWe shall continue to keep you posted of our progress on these recommendations.\n\nIf additional information is needed, please contact Denice A. Lotson, OCIO Audit Liaison, on\ntelephone number (202) 720-9384.\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0cAttachments\n\ncc: Lennetta Elias, Program Analyst, OCFO (w/attachment)\n    Denice A. Lotson, Management Analyst (w/attachment)\n\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0cInformational copies of this report have been distributed to:\n\nOffice of the Chief Information Officer\n Attn: Agency Liaison Officer (3)\n\nGovernment Accountability Office (1)\n\nOffice of Management and Budget (1)\n\nOffice of the Chief Financial Officer\n Attn: Director, Planning and Accountability Division (1)\n\x0cTo learn more about OIG, visit our website at\nwww.usda.gov/oig/index.htm\nHow To Report Suspected Wrongdoing in USDA Programs\n\nFraud, Waste, and Abuse\nIn Washington, DC 202-690-1622\nOutside DC 800-424-9121\nTDD (Call Collect) 202-690-1202\n\nBribes or Gratuities\n202-720-7257 (Monday-Friday, 9:00a.m.- 3 p.m.               ED\n\n\n\n\nThe U.S. Department of Agriculture (USDA) prohibits discrimination in all of its programs and activities on the basis of race, color, national origin,\nage, disability, and where applicable, sex (including gender identity and expression), marital status, familial status, parental status, religion, sexual\norientation, political beliefs, genetic information, reprisal, or because all or part of an individual's income is derived from any public assistance program.\n(Not all prohibited bases apply to all programs.) Persons with disabilities who require alternative means for communication of program information\n(Braille, large print, audiotape, etc.) should contact USDA's TARGET Center at (202) 720-2600 (voice and TDD). USDA is an equal opportunity provider\nand employer.\n\x0c"